Time-based “Blind Command Injection” Un-blinding

While blind command injection web vulnerabilities are incredibly useful, there’s no reason we shouldn’t make them un-blind. Chaining slow running commands to useful commands we can enumerate (or bruteforce) data – such as filenames, paths or strings… similar to what’s done in blind SQL Injection attacks: Blind_SQL_Injection#Time-based.

Consider the following chained commands:

ls -l a* && ping -c 10 127.0.0.1

If the folder the “ls -l a*” command is executed in contains one or more files starting with “a”, then the second command “ping -c 10 127.0.0.1” will also be run, causing an extra 10 second delay.

Assuming we’ve found a vulnerable web page (not returning the output from our command injection), such as vulnerable.php, we can create a script that loops through characters in a character set to build up commands such as the “ls” above… measuring the response times, and adding characters, we can effectively bruteforce filenames or other strings.

The beauty here is that we don’t need to bruteforce every possibly character combination as one would when bruteforcing a password – we just need to correctly determine the first letter, then second, third, etc. Making it completely viable (and rather quick) to get even a directory listing. I’ve created a Proof of Concept script that does just this, linked to below.

Here’s a demo of a “ls -l” being enumerated, by inserting characters and then building up the string being searched for:

That’s it running at pretty much realtime over my network, outputting letters of filenames as it finds them. There is a known issue where a file with a partial filename of another file is left out (“encoders.py” vs “encoders.pyc”).

We can also use the same method to run other commands, such as extracting the result of “pwd” by piping it to grep and having it match lines starting with the string of characters:

Or a line from “/etc/passwd” (passed in to a grep for “root” to get a single line)

Have a look at the Proof of Concept code at PoC.php – there are examples at the bottom of the file (including retrieving “whoami” not shown above).

It’s still quite rough and the current PHP code requires libcurl (and possibly PHP running inside Apache), but I have plans of re-writing it in to a standalone command line script, as well as porting it to Python and Ruby.